registry  /  @kdtix-open/sdlca-bridge  /  0.1.12

@kdtix-open/sdlca-bridge@0.1.12

⚠ Under review

Local execution bridge CLI for SDLC Automated — npx-ready installer

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 418 KB of source, external domains: auth.projectit.ai, sdlca.invalid, www.apple.com

Source & flagged code

7 flagged · loading source
bin/sdlca-bridge.jsView file
2// SPDX-License-Identifier: BSL-1.1 L3: var Ed=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Sd=(e,r)=>{for(var t in r)Ed(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Pd(a.trimEnd())])}return r}function xd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Pd(e){return e.length>=2&&(e.starts... L5: `;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

bin/sdlca-bridge.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> bin/sdlca-bridge.js L2: // SPDX-License-Identifier: BSL-1.1 L3: var Ed=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Sd=(e,r)=>{for(var t in r)Ed(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Pd(a.trimEnd())])}return r}function xd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Pd(e){return e.length>=2&&(e.starts... L5: `;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.is…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/sdlca-bridge.jsView on unpkg · L2
5`;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Child Process

Package source references child process execution.

bin/sdlca-bridge.jsView on unpkg · L5
2// SPDX-License-Identifier: BSL-1.1 L3: var Ed=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Sd=(e,r)=>{for(var t in r)Ed(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Pd(a.trimEnd())])}return r}function xd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Pd(e){return e.length>=2&&(e.starts... L5: `;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
2// SPDX-License-Identifier: BSL-1.1 L3: var Ed=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Sd=(e,r)=>{for(var t in r)Ed(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Pd(a.trimEnd())])}return r}function xd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Pd(e){return e.length>=2&&(e.starts... L5: `;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sdlca-bridge.jsView on unpkg · L2
23`).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}function lg(e,r,t){return{.... L25: # No-op GUI launcher for headless worker environments (#983)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sdlca-bridge.jsView on unpkg · L23
2// SPDX-License-Identifier: BSL-1.1 L3: var Ed=Object.defineProperty;var T=(e,r,t)=>()=>{if(t)throw t[0];try{return e&&(r=e(e=0)),r}catch(o){throw t=[o],o}};var Sd=(e,r)=>{for(var t in r)Ed(e,t,{get:r[t],enumerable:!0})}... L4: `)}r.push([s,Pd(a.trimEnd())])}return r}function xd(e){if(e.length<2)return!1;let r=e[0];return r!=='"'&&r!=="'"?!1:e.indexOf(r,1)===-1}function Pd(e){return e.length>=2&&(e.starts... L5: `;u===ze.error?process.stderr.write(c):process.stdout.write(c),u<=ze.info&&Zt(t,c),e.debug>=1&&u<=ze.debug&&Zt(o,c),(e.verbose>=ze.trace||e.debug>=ze.trace)&&Zt(n,c)})}function Zt(... L6: `)}catch{}}function uc(e){let r=Object.fromEntries(Object.entries(e).filter(([,t])=>t!==void 0).map(([t,o])=>[t,st(o)]));return ot(r)}function st(e){return e instanceof Error?{mess... L7: `)}function vs(e){try{let t=$u.readFileSync(e,"utf8").split(/\r?\n/u);return Object.fromEntries(ep(t))}catch{return{}}}function ep(e){let r=[];for(let t=0;t<e.length;t+=1){let o=e[... ... L23: `).filter(n=>!n.trimStart().startsWith("//")).join(` L24: `).trim();if(!t)return{};let o=JSON.parse(t);return o!==null&&typeof o=="object"&&!Array.isArray(o)?o:{}}catch(r){if(r.code==="ENOENT")return{};throw r}}
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/sdlca-bridge.jsView on unpkg · L2

Findings

2 Critical3 High5 Medium6 Low
CriticalCredential Exfiltrationbin/sdlca-bridge.js
CriticalTrigger Reachable Dangerous Capabilitybin/sdlca-bridge.js
HighChild Processbin/sdlca-bridge.js
HighSame File Env Network Executionbin/sdlca-bridge.js
HighCommand Output Exfiltrationbin/sdlca-bridge.js
MediumDynamic Requirebin/sdlca-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/sdlca-bridge.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings